omnifaces

 - 

Available since OmniFaces 5.0

The <sec:isAuthenticated> tag conditionally renders its content only when the user is authenticated (logged in). This is useful for displaying user-specific content, logout buttons, or other features that should only be available to authenticated users.

Usage

To use the security taglib, declare the omnifaces.security namespace in your Facelets view:

<html xmlns:sec="omnifaces.security">

The <sec:isAuthenticated> tag has no attributes. Simply wrap the content you want to show only to authenticated users.

Example: Welcome message for authenticated users

Display a personalized welcome message only when the user is authenticated:

<sec:isAuthenticated>
    <h:outputText value="Welcome back, #{request.remoteUser}!" />
</sec:isAuthenticated>

Example: Logout button for authenticated users

Show a logout button only when the user is authenticated:

<sec:isAuthenticated>
    <h:form>
        <h:commandButton value="Logout" action="#{loginBean.logout}" />
    </h:form>
</sec:isAuthenticated>

Example: User-specific navigation

Display navigation links that are only available to authenticated users:

<sec:isAuthenticated>
    <ul>
        <li><h:link value="My Profile" outcome="/profile" /></li>
        <li><h:link value="Settings" outcome="/settings" /></li>
        <li><h:link value="My Orders" outcome="/orders" /></li>
    </ul>
</sec:isAuthenticated>

Example: Combined with isAnonymous

Use together with <sec:isAnonymous> to show different navigation based on authentication status:

<sec:isAnonymous>
    <h:link value="Login" outcome="/login" />
    <h:link value="Register" outcome="/register" />
</sec:isAnonymous>

<sec:isAuthenticated>
    <h:link value="Profile" outcome="/profile" />
    <h:form>
        <h:commandLink value="Logout" action="#{loginBean.logout}" />
    </h:form>
</sec:isAuthenticated>

Example: Combined with authorize

Use together with <sec:authorize> to combine authentication and role-based authorization:

<sec:isAuthenticated>
    <h:link value="Dashboard" outcome="/dashboard" />

    <sec:authorize role="ADMIN">
        <h:link value="Admin Panel" outcome="/admin" />
    </sec:authorize>
</sec:isAuthenticated>

Implementation details

This tag checks if SecurityContext.getCallerPrincipal() returns a non-null value. If the principal is not null, the user is considered authenticated and the content will be rendered.

Configuration

This tag requires SecurityContext from jakarta.security.enterprise to be available. If the security context is not available, a warning will be logged and no content will be rendered. Make sure your application has Jakarta Security properly configured.

Documentation & Sources

API documentation

Java source code